I have a scenrio where I have to integrate SBR GEE onWin Server2003 with multiple domains. It is already integrated with domain A and for network devices authentication fetching user information from there. Now client want this SBR to authenticate there WLAN users connecting to another domain B using EAP-TLS authentication method and want SBR for client certificate authentication and to contact Domain B for user/pass authentication.
Please guide if this can be done, if yes then please let me know. How can we make realms on SBR to keep authentication of network devices and WLAN users seperate.
Looking for quick response as client want this to be implemented asap.
It is possible to authenticate against domains other than the one in which the Steel-Belted Radius service is running, provided that the other domain is trusted by the domain of the RADIUS service.
I am not sure I completely get your requirement with respect to, "WLAN users connecting to another domain B using EAP-TLS authentication method"
The EAP-TLS protocol requires that both user and authentication server have certificates for mutual authentication.
Thanks for quick response.
I will authenticate client certifcate through SBR and they both will have mutual certificate this is not the issue.
Both domains have trust relationship with each other, so who can now I configure SBR redirect query for WLAN users to domain B after authenticating client certificate. Because I dont want EAP enabled for network devices authentication which is enabled for users on Domain A.
What kind of query you expect the SBR to perform against the Domain after autheticating client Certificate.
Assuming the user provides a certificate that the SBR can verify against a list of trusted root certificates, the EAP-TLS part of the exchange concludes successfully.
The only another scenario that I could think about, is the SBR support for optional secondary authorization in case of EAP-TLS, is your requirement something similar to authorization, where you want the SBR to contact the Domain.
Let me tell you the whole scenario that what is currently configured and what is new requirement by client.
1) Currently SBR is installed on machine which is part of domain A and providing authentication for network devices access to users from Domain A.
2) When I want to add any user or group for authentication I can c Domain A in list and its users and groups.
Now here is what client want me to do now.
1) They have WLAN AP's and any user who want to access lan through wireless is supposed to be Domain user from another Domain B.
2) Currently they have EAP-TLS enabled but certificate authentication and EAP process is hosted on some Windows server.
3) They want to use SBR for EAP-TLS authentication and after that for secondary authentication to check if client is member of Domain B it will contact Domain B.
Flow will be like this
_ Flow: Wireless Client --------- Access Point ----------- SBR01/SBR02(EAP-TLS) ---------------Domain B User Database.
Now My concern is that after enabling EAP on SBR how can we segregate on SBR so that EAP should not be forced for Domain A authentication. Can we make realms on SBR GEE if yes is there any KB. Or can you plese guide me with configuration steps. Thanks for your support.
I have not come across any KB, which deals specifically with sample configuration as per your requirement.
Though I have come across KB which deals with realms on various other topics.
How-ever Realm configurations are explained in detail in SBR documentation.
Realms are supported on GEE.
Following Section in the SBR Administrator Guide should help.